Introduction to Security

Similar documents
Waterfall Life Cycle Model

CS Review. Prof. Clarkson Spring 2017

Indicate whether the statement is true or false.

CSE 565 Computer Security Fall 2018

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

BOR3307: Intro to Cybersecurity

10 Defense Mechanisms

HikCentral V.1.1.x for Windows Hardening Guide

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Why Firewalls? Firewall Characteristics

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

HikCentral V1.3 for Windows Hardening Guide

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Overview Intrusion Detection Systems and Practices

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

2. Firewall Management Tools used to monitor and control the Firewall Environment.

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

CS 392 Network Security. Nasir Memon Polytechnic University Module 5 Intrusion Detection

Network Security: Firewall, VPN, IDS/IPS, SIEM

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CS Review. Prof. Clarkson Spring 2016

Network Security. Thierry Sans

ASA/PIX Security Appliance

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CyberP3i Course Module Series

Internet Security Firewalls

Network Security and Cryptography. December Sample Exam Marking Scheme

Network Security. Course notes. Version

Security+ SY0-501 Study Guide Table of Contents

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Chapter 9. Firewalls

Chapter 26: Network Security

Network Security Fundamentals

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CSE 565 Computer Security Fall 2018

Computer Network Vulnerabilities

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Computer Security and Privacy

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Advanced Security and Mobile Networks

COSC 301 Network Management

Network Security and Cryptography. 2 September Marking Scheme

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Distributed Denial of Service (DDoS)

... Lecture 10. Network Security I. Information & Communication Security. Prof. Dr. Kai Rannenberg

Goals of IDS. Goals of IDS

CIT 480: Securing Computer Systems. Putting It All Together

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Exam: : VPN/Security. Ver :

IC32E - Pre-Instructional Survey

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

5. Execute the attack and obtain unauthorized access to the system.

SAFECOM SECUREWEB - CUSTOM PRODUCT SPECIFICATION 1. INTRODUCTION 2. SERVICE DEFINITION. 2.1 Service Overview. 2.2 Standard Service Features APPENDIX 2

CTS2134 Introduction to Networking. Module 08: Network Security

Post-Class Quiz: Access Control Domain

Intrusion Detection Systems

Chapter 22: Intrusion Detection

CHAPTER 8 FIREWALLS. Firewall Design Principles

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

DEFINITIONS AND REFERENCES

Security Guide SAP Supplier InfoNet

Intrusion Detection Systems (IDS)

Indicate whether the statement is true or false.

Distributed Systems. Lecture 14: Security. Distributed Systems 1

CISNTWK-440. Chapter 5 Network Defenses

intelop Stealth IPS false Positive

Distributed Systems. Lecture 14: Security. 5 March,

Computer Security: Principles and Practice

COMPUTER NETWORK SECURITY

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

SDR Guide to Complete the SDR

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Internet Security: Firewall

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Network Defenses 21 JANUARY KAMI VANIEA 1

Agenda. Introduction. Security Protocols Wireless / Mobile Security. Lecture 10. Network Security I

Introduction to Information Security Prof. V. Kamakoti Department of Computer Science and Engineering Indian Institute of Technology, Madras

Application Firewalls

CSE543 - Computer and Network Security Module: Firewalls

IBM SmartCloud Notes Security

Introduction to Computer Security

2. INTRUDER DETECTION SYSTEMS

Chapter 8 roadmap. Network Security

Cisco IOS Firewall Intrusion Detection System Commands

«On the Internet, nobody knows you are a dog» Twenty years later

CSC 4900 Computer Networks: Security Protocols (2)

Configuring attack detection and prevention 1

SCP SC Network Defense and Countermeasures (NDC) Exam.

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Intrusion Detection Systems (IDS)

Security Device Roles

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Transcription:

IS 2150 / TEL 2810 Introduction to Security James Joshi Professor, SIS Lecture 12 2016 Intrusion Detection, Auditing System Firewalls & VPN 1

Intrusion Detection 2

Intrusion Detection/Response Denning: Systems under attack fail to meet one or more of the following characteristics 1. Actions of users/processes conform to statistically predictable patterns 2. Actions of users/processes do not include sequences of commands to subvert security policy 3. Actions of processes conform to specifications describing allowable actions 3

Intrusion Detection Idea: Attack can be discovered by one of the above being violated Practical goals of intrusion detection systems: Detect a wide variety of intrusions (known + unknown) Detect in a timely fashion Present analysis in a useful manner Need to monitor many components; proper interfaces needed Be (sufficiently) accurate Minimize false positives and false negatives 4

IDS Types: Anomaly Detection Compare system characteristics with expected values Threshold metric: statistics deviate / threshold E.g., Number of failed logins Statistical moments: mean/standard deviation Number of user events ents in a systemstem Time periods of user activity Resource usages profiles Markov model: based on state, expected likelihood of transition to new states If a low probability event occurs then it is considered suspicious 5

IDS Types: Misuse Modeling Does sequence of instructions violate security policy? Problem: How do we know all violating sequences? Solution: capture known violating sequences Generate a rule set for an intrusion signature Alternate solution: State-transition transition approach Known bad state transition from attack Capture when transition has occurred (user root) 6

Specification Modeling Does sequence of instructions violate system specification? What is the system specification? Need to formally specify operations of potentially critical code trusted code Verify post-conditions met 7

IDS Systems Anomaly Detection Intrusion Detection Expert System (IDES) successor is NIDES Network Security Monitor - NSM Misuse Detection Intrusion Detection In Our Time- IDIOT (colored Petri-nets) USTAT ASAX (Rule-based) Hybrid NADIR (Los Alamos) Haystack (Air force, adaptive) Hyperview (uses neural network) Distributed IDS (Haystack + NSM) 8

IDS Architecture Agent Host 1 Similar to Audit system Director Log events Analyze log Difference: happens real-time - timely fashion (Distributed) IDS idea: Agent generates log Notifier Director analyzes logs Agent Host 1 Agent May be adaptive Host 1 Notifier decides how to handle result GrIDS displays attacks in progress 9

Where is the Agent? Host based IDS watches events on the host Often uses existing audit logs Network-based IDS Packet sniffing Firewall logs 10

IDS Problem IDS useless unless accurate Significant fraction of intrusions detected Significant number of alarms correspond to intrusions Goal is Reduce false positives Reports an attack, but no attack underway Reduce false negatives An attack occurs but IDS fails to report 11

Intrusion Response Incident Prevention Stop attack before it succeeds Measures to detect attacker Example: Jailing (also Honepots) Intrusion handling Preparation for detecting attacks Identification of an attack Contain attack Eradicate attack Recover to secure state Follow-up to the attack - Punish attacker 12

Containment Passive monitoring Track intruder actions Eases recovery and punishment Constraining access Downgrade attacker privileges Protect t sensitive information Why not just pull the plug 13

Eradication Terminate network connection Terminate processes Block future attacks Close ports Disallow specific IP addresses Wrappers around attacked applications 14

Follow-Up Legal action Trace through network Cut off resources Notify ISP of action Counterattack Is this a good idea? 15

Auditing 16

What is Auditing? Auditing systems Logging Audit analysis Key issues What to log? What do you audit? Goals/uses User accountability Damage assessment Determine causes of security violations Describe security state for monitoring critical problems Evaluate effectiveness of protection mechanisms 17

Audit System Structure Logger Records information, usually controlled by parameters Analyzer Logs may come from multiple systems, or a single system May lead to changes in logging May lead to a report of an event Notifier Informs analyst, other entities of results of analysis May reconfigure logging and/or analysis on basis of results May take some action 18

Example: Windows NT Different logs for different types of events System event logs record system crashes, component failures, and other system events Application event logs record events that applications request be recorded Security event log records security-critical critical events such as logging in and out, system file accesses, and other events Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs overwritten 19

Windows NT Sample Entry Date: 2/12/2000 Source: Security Time: 13:03 Category: Detailed Tracking Type: Success EventID: 592 User: WINDSOR\Administrator Computer: WINDSOR Description: A new process has been created: New Process ID: 2216594592 Image File Name: \Program Files\Internet Explorer\IEXPLORE.EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0x0,0x14B4c4) [would be in graphical format] 20

Designing an Audit System Goals determine what is logged Idea: auditors want to detect violations of policy, which provides a set of constraints that the set of possible actions must satisfy So, audit functions that may violate the constraints Constraint p i : action condition 21

Implementation Issues Show non-secure or find violations? Former requires logging initial state and changes Defining violations Does write include append and create directory? Multiple names for one object Logging goes by object and not name Representations can affect this Syntactic issues Correct grammar unambiguous semantics 22

Log Sanitization U set of users, P policy defining set of information C(U) that U cannot see; log sanitized when all information in C(U) deleted from log Two types of P C(U) can t leave site People inside id site are trusted t and information not sensitive to them C(U) can t leave system People inside site not trusted or (more commonly) information sensitive to them Don t log this sensitive information 23

Logging Organization Logging system Log Sanitizer Users Logging system Sanitizer Log Users Top prevents information from leaving site Users privacy not protected from system administrators, other administrative personnel Bottom prevents information from leaving system Data simply not recorded, or data scrambled before recording (Cryptography) 24

Reconstruction Anonymizing sanitizer cannot be undone Pseudonymizing sanitizer can be undone Importance Suppose security analysis requires access to information that was sanitized? 25

Issue Key: sanitization must preserve properties needed for security analysis If new properties added (because analysis changes), may have to resanitize information This requires pseudonymous sanitization or the original log 26

Example Company wants to keep its IP addresses secret, but wants a consultant to analyze logs for an address scanning attack Connections to port 25 on IP addresses 10.163.5.10, 10.163.5.11, 10.163.5.12, 10.163.5.13, 10.163.5.14, Sanitize with random IP addresses Cannot see sweep through consecutive IP addresses Sanitize with sequential IP addresses Can see sweep through consecutive IP addresses 27

Firewalls & VPN 28

What is a VPN? A network that supports a closed community of authorized users Use the public Internet as part of the virtual private network There is traffic isolation Contents, Services, Resources secure Provide security! Confidentiality and integrity of data User authentication Network access control IPSec can be used

Tunneling in VPN

Perimeter Defense Organizational system consists of a network of many host machines the system is as secure as the weakest link Use perimeter defense Define a border and use gatekeeper (firewall) If host machines are scattered and need to use public network, use encryption Virtual Private Networks (VPNs)

Perimeter Defense Is it adequate? Locating and securing all perimeter points is quite difficult Less effective for large border Inspecting/ensuring that remote connections are adequately protected is difficult Insider attack is often the most damaging

Firewalls Total isolation of networked systems is undesirable Use firewalls to achieve selective border control Firewall Is a configuration of machines and software Limits network access for free inside many devices Alternate: a firewall is a host that mediates access to a network, allowing and disallowing certain type of access based on a configured security policy

What Firewalls can t do They are not a panacea Only adds to defense in depth Can provide false sense of security Cannot prevent insider attack Firewalls act at a particular layer

The Development of Firewalls First Generation Packet filtering firewalls are simple networking devices that filter packets by examining every incoming and outgoing packet header can selectively filter packets based on values in the packet header IP address, type of packet, port request, and/or other elements

Second Generation Application-level firewalls often consists of dedicated computers kept separate from the first filtering i router (edge router) Commonly used in conjunction with a second or internal filtering router Proxy server, rather than the Web server, is exposed to outside world from within a network segment called the demilitarized zone (DMZ), Implemented for specific protocols

Third Generation Stateful inspection firewalls keep track of each network connection established between internal and external systems state and context of each packet exchanged (who / when) can restrict incoming packets by matching with requests from internal hosts Non-matching packets - it uses ACL rights to determine whether to allow the packet to pass

Fourth Generation A fourth-generation firewall, or dynamic packet filtering firewall, allows only a particular packet with a specific source, destination, and port address to pass through the firewall understands how the protocol functions, and by opening and closing pathways in the firewall an intermediate form, between traditional static packet filters and application proxies

Firewall Architectures For each type can be implemented in a number of architectural configurations Four architectural implementations of firewalls are especially common: Packet filtering routers Screened-host firewalls Dual-homed host firewalls Screened-subnet firewalls

Packet Filtering Routers Most organizations with an Internet connection use a router between their internal networks and the external service provider Limitation lacks auditing and strong authentication complexity of the ACLs used to filter the packets can grow to the point of degrading network performance

Packet Filtering Router/Firewall

Screened-Host Firewall Systems Screened-host firewall systems combine packet filtering router with a separate, dedicated firewall such as an application proxy server Application proxy examines an application layer protocol, such as HTTP, and performs the proxy services This separate host, referred to as a bastion host, represents a single, rich target for external attacks, and should be very thoroughly secured

Screened-Host Firewall

Dual-Homed Host Firewalls In this configuration, the bastion host contains two network interfaces: One connected to external network One connected to internal network, requiring all traffic to travel through the firewall to move between the internal and external networks Network address translation (NAT) is often implemented with this architecture Converts external IP addresses to special ranges of internal IP addresses

Figure 9-7 Dual-Homed Host Firewall

Screened-Subnet Firewalls (with DMZ) consists of one or more internal bastion hosts located behind a consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network

Summary Intrusion detection system Various types Auditing Design issues Firewalls Four different types 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback